Items tagged security in 2017
The Mirai Botnet Was Part of a College Student Minecraft Scheme. Fascinating story about last year’s Mirai botnet, which was originally developed to help corner the Minecraft server market. # 15th December 2017, 3:18 am
Extended Validation is Broken. Ian Carroll spent $100 incorporating a company called “Stripe, Inc” in the state of Kentucky and $77 on an Extended Validation certificate tied to that legal entity. Safari (and Mobile Safari) now hide the URL bar completely, displaying “Stripe, Inc” in its place. “This means the attacker does not even need to register a convincing phishing domain. They can register anything, and Safari will happily cover it with a nice green bar.” # 12th December 2017, 1:36 am
Cybersecurity Campaign Playbook (via) “The information assembled here is for any campaign in any party. It was designed to give you simple, actionable information that will make your campaign’s information more secure from adversaries trying to attack your or-ganization—and our democracy.” # 3rd December 2017, 7:22 pm
TL;DR on the KRACK WPA2 stuff—you can repeatedly resend the 3rd packet in a WPA2 handshake and it’ll reset the key state, which leads to nonce reuse, which leads to trivial decryption with known plaintext. Can be easily leveraged to dump TCP SYN traffic and hijack connections.
Exploding Git Repositories. Kate Murphy describes how git is vulnerable to a similar attack to the XML “billion laughs” recursive entity expansion attack—you can create a tiny git repository that acts as a “git bomb”, expanding 12 root objects to over a billion files using recursive blob references. # 12th October 2017, 7:43 pm
The Absurdly Underestimated Dangers of CSV Injection. This is horrifying. A plain old CSV file intended for import into Excel can embed formulas (a value prefixed with an equals symbol) which can execute system commands—with a big honking security prompt that most people will likely ignore. Even worse: they can embed IMPORTXML() functions that can silently leak data from the rest of the sheet to an external URL—and those will work against Google Sheets as well as Excel. # 10th October 2017, 4:13 am